|
|
(66 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) |
Zeile 1: |
Zeile 1: |
| '''topic''' kurze Beschreibung
| | [[Kategorie:Kryptografie/Best Practice]] |
| == Beschreibung ==
| |
| == Installation ==
| |
| == Anwendungen ==
| |
| === Fehlerbehebung ===
| |
| == Syntax ==
| |
| === Optionen ===
| |
| === Parameter ===
| |
| === Umgebungsvariablen ===
| |
| === Exit-Status ===
| |
| == Konfiguration ==
| |
| === Dateien ===
| |
| == Sicherheit ==
| |
| == Dokumentation ==
| |
| === RFC ===
| |
| === Man-Pages ===
| |
| === Info-Pages ===
| |
| == Siehe auch ==
| |
| == Links ==
| |
| === Projekt-Homepage ===
| |
| === Weblinks ===
| |
| === Einzelnachweise ===
| |
| <references />
| |
| == Testfragen ==
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 1''
| |
| <div class="mw-collapsible-content">'''Antwort1'''</div>
| |
| </div>
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 2''
| |
| <div class="mw-collapsible-content">'''Antwort2'''</div>
| |
| </div>
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 3''
| |
| <div class="mw-collapsible-content">'''Antwort3'''</div>
| |
| </div>
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 4''
| |
| <div class="mw-collapsible-content">'''Antwort4'''</div>
| |
| </div>
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 5''
| |
| <div class="mw-collapsible-content">'''Antwort5'''</div>
| |
| </div>
| |
| | |
| [[Kategorie:Entwurf]] | |
| | |
| = TMP =
| |
| == Beschreibung ==
| |
| === Umgang mit Schlüsselmaterial ===
| |
| ; Schlüsselmaterial identifiziert die kryptografischen Geheimnisse, aus denen ein Schlüssel besteht.
| |
| ; Sämtliches Schlüsselmaterial muss als RESTRICTED-Daten behandelt werden
| |
| * Nur Personen mit spezieller Ausbildung und dem Bedarf an Wissen sollten Zugang zu Schlüsselmaterial haben.
| |
| * Das Schlüsselmaterial muss bei der Übertragung verschlüsselt werden.
| |
| * Schlüsselmaterial kann im Klartext gespeichert werden, aber nur mit einer angemessenen Zugangskontrolle (begrenzter Zugang).
| |
| | |
| ; Dazu gehören
| |
| * OpenSSH server keys (<tt>/etc/ssh/ssh_host_*key</tt>)
| |
| * Client keys (<tt>~/.ssh/id_{rsa,dsa,ecdsa,ed25519}</tt> and <tt>~/.ssh/identity</tt>).
| |
| | |
| === Client key size and login latency ===
| |
| Figure out the impact on performance of using larger keys
| |
| * Such as RSA 4096 bytes keys - on the client side
| |
| | |
| ; Tests
| |
| Idle, i7 4500 intel CPU
| |
| * OpenSSH_6.7p1
| |
| * OpenSSL 1.0.1l
| |
| * ed25519 server keys
| |
| | |
| The following command is ran 10 times
| |
| time ssh localhost -i .ssh/id_thekey exit
| |
| | |
| ; Results
| |
| {|| class="wikitable sortable"
| |
| |-
| |
| || '''Client key '''
| |
| || '''Minimum '''
| |
| || '''Maximum '''
| |
| || '''Average '''
| |
| |-
| |
| || RSA 4096
| |
| || 120ms
| |
| || 145ms
| |
| || 127ms
| |
| |-
| |
| || RSA 2048
| |
| || 120ms
| |
| || 129ms
| |
| || 127ms
| |
| |-
| |
| || ed25519
| |
| || 117ms
| |
| || 138ms
| |
| || 120ms
| |
| |-
| |
| |}
| |
| | |
| ; Slower Machines
| |
| These numbers may differ on a slower machine
| |
| * This contains the complete login sequence
| |
| * Therefore is subject to variations
| |
| | |
| ; Summery
| |
| * The latency differences are not significant
| |
| * It does not impact performance sufficiently
| |
| | |
| == OpenSSH server ==
| |
| ; SSH is used to
| |
| * remotely manage computer systems
| |
| * secururly transfer files over untrusted networks
| |
| * create "ad-hoc" virtual-private networks
| |
| | |
| === OpenSSH ===
| |
| * [https://www.openssh.com/ OpenSSH] is the most popular implementation of the SSH protocol
| |
| * It is maintained by the [https://openbsd.org/ OpenBSD] project
| |
| * portable versions are disitributed with many unix-like operating-systems and Windows Server
| |
| | |
| ==== Tested with Version ====
| |
| * OpenSSH 6.6p1 (Gentoo)
| |
| * OpenSSH 6.6p1-2 on Ubuntu 14.04.2 LTS
| |
| * OpenSSH 7.2p2 on Ubuntu 16.04.3 LTS
| |
| | |
| ==== Settings ====
| |
| ; Important OpenSSH 6.6 security settings
| |
| # Package generated configuration file
| |
| # See the sshd_config(5) manpage for details
| |
| # What ports, IPs and protocols we listen for
| |
| Port 22
| |
| # Use these options to restrict which interfaces/protocols sshd will bind to
| |
| #ListenAddress ::
| |
| #ListenAddress 0.0.0.0
| |
| Protocol 2
| |
| # HostKeys for protocol version 2
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| #HostKey /etc/ssh/ssh_host_dsa_key
| |
| #HostKey /etc/ssh/ssh_host_ecdsa_key
| |
| HostKey /etc/ssh/ssh_host_ed25519_key
| |
| #Privilege Separation is turned on for security
| |
| UsePrivilegeSeparation yes
| |
| # Lifetime and size of ephemeral version 1 server key
| |
| KeyRegenerationInterval 3600
| |
| ServerKeyBits 1024
| |
| # Logging
| |
| SyslogFacility AUTH
| |
| LogLevel INFO
| |
| # Authentication:
| |
| LoginGraceTime 120
| |
| PermitRootLogin no # or 'without-password' to allow SSH key based login
| |
| StrictModes yes
| |
| RSAAuthentication yes
| |
| PubkeyAuthentication yes
| |
| #AuthorizedKeysFile %h/.ssh/authorized_keys
| |
| # Don't read the user's ~/.rhosts and ~/.shosts files
| |
| IgnoreRhosts yes
| |
| # For this to work you will also need host keys in /etc/ssh_known_hosts
| |
| RhostsRSAAuthentication no
| |
| # similar for protocol version 2
| |
| HostbasedAuthentication no
| |
| # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
| |
| #IgnoreUserKnownHosts yes
| |
| # To enable empty passwords, change to yes (NOT RECOMMENDED)
| |
| PermitEmptyPasswords no
| |
| # Change to yes to enable challenge-response passwords (beware issues with
| |
| # some PAM modules and threads)
| |
| ChallengeResponseAuthentication no
| |
| # Change to no to disable tunnelled clear text passwords
| |
| #PasswordAuthentication yes
| |
| # Kerberos options
| |
| #KerberosAuthentication no
| |
| #KerberosGetAFSToken no
| |
| #KerberosOrLocalPasswd yes
| |
| #KerberosTicketCleanup yes
| |
| # GSSAPI options
| |
| #GSSAPIAuthentication no
| |
| #GSSAPICleanupCredentials yes
| |
| # Cipher selection
| |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
| |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
| |
| KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
| |
| X11Forwarding yes
| |
| X11DisplayOffset 10
| |
| PrintMotd no
| |
| PrintLastLog yes
| |
| TCPKeepAlive yes
| |
| #UseLogin no
| |
| #MaxStartups 10:30:60
| |
| #Banner /etc/issue.net
| |
| # Allow client to pass locale environment variables
| |
| AcceptEnv LANG LC_*
| |
| Subsystem sftp /usr/lib/openssh/sftp-server
| |
| # Set this to 'yes' to enable PAM authentication, account processing,
| |
| # and session processing. If this is enabled, PAM authentication will
| |
| # be allowed through the ChallengeResponseAuthentication and
| |
| # PasswordAuthentication. Depending on your PAM configuration,
| |
| # PAM authentication via ChallengeResponseAuthentication may bypass
| |
| # the setting of "PermitRootLogin without-password".
| |
| # If you just want the PAM account and session checks to run without
| |
| # PAM authentication, then enable this but set PasswordAuthentication
| |
| # and ChallengeResponseAuthentication to 'no'.
| |
| UsePAM yes
| |
| | |
| ; Curve25519
| |
| : OpenSSH 6.6p1 supports Curve25519
| |
| | |
| ==== Tested with Version ====
| |
| * OpenSSH 6.5 (Debian Jessie)
| |
| | |
| ==== Settings ====
| |
| ; Important OpenSSH 6.5 security settings
| |
| # Package generated configuration file
| |
| # See the sshd_config(5) manpage for details
| |
| # What ports, IPs and protocols we listen for
| |
| Port 22
| |
| # Use these options to restrict which interfaces/protocols sshd will bind to
| |
| #ListenAddress ::
| |
| #ListenAddress 0.0.0.0
| |
| Protocol 2
| |
| # HostKeys for protocol version 2
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| #HostKey /etc/ssh/ssh_host_dsa_key
| |
| #HostKey /etc/ssh/ssh_host_ecdsa_key
| |
| HostKey /etc/ssh/ssh_host_ed25519_key
| |
| #Privilege Separation is turned on for security
| |
| UsePrivilegeSeparation yes
| |
| # Lifetime and size of ephemeral version 1 server key
| |
| KeyRegenerationInterval 3600
| |
| ServerKeyBits 1024
| |
| # Logging
| |
| SyslogFacility AUTH
| |
| LogLevel INFO
| |
| # Authentication:
| |
| LoginGraceTime 120
| |
| PermitRootLogin no # or 'without-password' to allow SSH key based login
| |
| StrictModes yes
| |
| RSAAuthentication yes
| |
| PubkeyAuthentication yes
| |
| #AuthorizedKeysFile %h/.ssh/authorized_keys
| |
| # Don't read the user's ~/.rhosts and ~/.shosts files
| |
| IgnoreRhosts yes
| |
| # For this to work you will also need host keys in /etc/ssh_known_hosts
| |
| RhostsRSAAuthentication no
| |
| # similar for protocol version 2
| |
| HostbasedAuthentication no
| |
| # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
| |
| #IgnoreUserKnownHosts yes
| |
| # To enable empty passwords, change to yes (NOT RECOMMENDED)
| |
| PermitEmptyPasswords no
| |
| # Change to yes to enable challenge-response passwords (beware issues with
| |
| # some PAM modules and threads)
| |
| ChallengeResponseAuthentication no
| |
| # Change to no to disable tunnelled clear text passwords
| |
| #PasswordAuthentication yes
| |
| # Kerberos options
| |
| #KerberosAuthentication no
| |
| #KerberosGetAFSToken no
| |
| #KerberosOrLocalPasswd yes
| |
| #KerberosTicketCleanup yes
| |
| # GSSAPI options
| |
| #GSSAPIAuthentication no
| |
| #GSSAPICleanupCredentials yes
| |
| # Cipher selection
| |
| Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
| |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
| |
| KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
| |
| X11Forwarding yes
| |
| X11DisplayOffset 10
| |
| PrintMotd no
| |
| PrintLastLog yes
| |
| TCPKeepAlive yes
| |
| #UseLogin no
| |
| #MaxStartups 10:30:60
| |
| #Banner /etc/issue.net
| |
| # Allow client to pass locale environment variables
| |
| AcceptEnv LANG LC_*
| |
| Subsystem sftp /usr/lib/openssh/sftp-server
| |
| # Set this to 'yes' to enable PAM authentication, account processing,
| |
| # and session processing. If this is enabled, PAM authentication will
| |
| # be allowed through the ChallengeResponseAuthentication and
| |
| # PasswordAuthentication. Depending on your PAM configuration,
| |
| # PAM authentication via ChallengeResponseAuthentication may bypass
| |
| # the setting of "PermitRootLogin without-password".
| |
| # If you just want the PAM account and session checks to run without
| |
| # PAM authentication, then enable this but set PasswordAuthentication
| |
| # and ChallengeResponseAuthentication to 'no'.
| |
| UsePAM yes
| |
| | |
| ==== Tested with Version ====
| |
| * OpenSSH 6.0p1 (Debian wheezy)
| |
| | |
| ==== Settings ====
| |
| ; Important OpenSSH 6.0 security settings
| |
| # Package generated configuration file
| |
| # See the sshd_config(5) manpage for details
| |
| # What ports, IPs and protocols we listen for
| |
| Port 22
| |
| # Use these options to restrict which interfaces/protocols sshd will bind to
| |
| #ListenAddress ::
| |
| #ListenAddress 0.0.0.0
| |
| Protocol 2
| |
| # HostKeys for protocol version 2
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| #HostKey /etc/ssh/ssh_host_dsa_key
| |
| #HostKey /etc/ssh/ssh_host_ecdsa_key
| |
| #Privilege Separation is turned on for security
| |
| UsePrivilegeSeparation yes
| |
| # Lifetime and size of ephemeral version 1 server key
| |
| KeyRegenerationInterval 3600
| |
| ServerKeyBits 768
| |
| # Logging
| |
| SyslogFacility AUTH
| |
| LogLevel INFO
| |
| # Authentication:
| |
| LoginGraceTime 120
| |
| PermitRootLogin no # or 'without-password' to allow SSH key based login
| |
| StrictModes yes
| |
| RSAAuthentication yes
| |
| PubkeyAuthentication yes
| |
| #AuthorizedKeysFile %h/.ssh/authorized_keys
| |
| # Don't read the user's ~/.rhosts and ~/.shosts files
| |
| IgnoreRhosts yes
| |
| # For this to work you will also need host keys in /etc/ssh_known_hosts
| |
| RhostsRSAAuthentication no
| |
| # similar for protocol version 2
| |
| HostbasedAuthentication no
| |
| # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
| |
| #IgnoreUserKnownHosts yes
| |
| # To enable empty passwords, change to yes (NOT RECOMMENDED)
| |
| PermitEmptyPasswords no
| |
| # Change to yes to enable challenge-response passwords (beware issues with
| |
| # some PAM modules and threads)
| |
| ChallengeResponseAuthentication no
| |
| # Change to no to disable tunnelled clear text passwords
| |
| #PasswordAuthentication yes
| |
| # Kerberos options
| |
| #KerberosAuthentication no
| |
| #KerberosGetAFSToken no
| |
| #KerberosOrLocalPasswd yes
| |
| #KerberosTicketCleanup yes
| |
| # GSSAPI options
| |
| #GSSAPIAuthentication no
| |
| #GSSAPICleanupCredentials yes
| |
| # Cipher selection
| |
| Ciphers aes256-ctr,aes128-ctr
| |
| MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
| |
| KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
| |
| X11Forwarding yes
| |
| X11DisplayOffset 10
| |
| PrintMotd no
| |
| PrintLastLog yes
| |
| TCPKeepAlive yes
| |
| #UseLogin no
| |
| #MaxStartups 10:30:60
| |
| #Banner /etc/issue.net
| |
| # Allow client to pass locale environment variables
| |
| AcceptEnv LANG LC_*
| |
| Subsystem sftp /usr/lib/openssh/sftp-server
| |
| # Set this to 'yes' to enable PAM authentication, account processing,
| |
| # and session processing. If this is enabled, PAM authentication will
| |
| # be allowed through the ChallengeResponseAuthentication and
| |
| # PasswordAuthentication. Depending on your PAM configuration,
| |
| # PAM authentication via ChallengeResponseAuthentication may bypass
| |
| # the setting of "PermitRootLogin without-password".
| |
| # If you just want the PAM account and session checks to run without
| |
| # PAM authentication, then enable this but set PasswordAuthentication
| |
| # and ChallengeResponseAuthentication to 'no'.
| |
| UsePAM yes
| |
| | |
| ==== Kompatibilität ====
| |
| * Older '''Linux''' systems won’t support SHA2
| |
| * PuTTY (Windows) does not support RIPE-MD160.
| |
| * Curve25519, AES-GCM and UMAC are only available upstream (OpenSSH 6.6p1).
| |
| * DSA host keys have been removed on purpose, the DSS standard does not support for DSA keys stronger than 1024bit [[https://bettercrypto.org/#_footnotedef_5 5]] which is far below current standards (see section #section:keylengths).
| |
| * Legacy systems can use this configuration and simply omit unsupported ciphers, key exchange algorithms and MACs.
| |
| | |
| ==== References ====
| |
| The OpenSSH [https://www.openssh.org/cgi-bin/man.cgi?query=sshd_config sshd_config — OpenSSH SSH daemon configuration file] man page is the best reference:
| |
| | |
| ==== How to test ====
| |
| Connect a client with verbose logging enabled to the SSH server
| |
| $ ssh -vvv myserver.com
| |
| and observe the key exchange in the output.
| |
| | |
| === Cisco ASA ===
| |
| | |
| ==== Tested with Versions ====
| |
| * 9.1(3)
| |
| | |
| ==== Settings ====
| |
| * crypto key generate rsa modulus 2048
| |
| * ssh version 2
| |
| * ssh key-exchange group dh-group14-sha1
| |
| | |
| | |
| * When the ASA is configured for SSH, by default both SSH versions 1 and 2 are allowed.
| |
| * In addition to that, only a group1 DH-key-exchange is used.
| |
| * This should be changed to allow only SSH version 2 and to use a key-exchange with group14.
| |
| * The generated RSA key should be 2048 bit (the actual supported maximum).
| |
| * A non-cryptographic best practice is to reconfigure the lines to only allow SSH-logins.
| |
| | |
| ==== References ====
| |
| # [https://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/admin_management.html CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1]
| |
| | |
| ==== How to test ====
| |
| Connect a client with verbose logging enabled to the SSH server
| |
| $ ssh -vvv myserver.com
| |
| and observe the key exchange in the output.
| |
| | |
| === Cisco IOS ===
| |
| ==== Tested Versions ====
| |
| | |
| {| class="wikitable sortable options" style="border-spacing:0;width:9.259cm;"
| |
| |-
| |
| || Program Version
| |
| || OS/Distribution/Version
| |
| || Comment
| |
| |-
| |
| || 15.0
| |
| || IOS
| |
| ||
| |
| |-
| |
| || 15.1
| |
| || IOS
| |
| ||
| |
| |-
| |
| || 15.2
| |
| || IOS
| |
| ||
| |
| |-
| |
| |}
| |
| | |
| ==== Settings ====
| |
| crypto key generate rsa modulus 4096 label SSH-KEYS
| |
| ip ssh rsa keypair-name SSH-KEYS
| |
| ip ssh version 2
| |
| ip ssh dh min size 2048
| |
| line vty 0 15
| |
| transport input ssh
| |
| | |
| * Same as with the ASA, also on IOS by default both SSH versions 1 and 2 are allowed and the DH-key-exchange only use a DH-group of 768 Bit.
| |
| * In IOS, a dedicated Key-pair can be bound to SSH to reduce the usage of individual keys-pairs.
| |
| * From IOS Version 15.0 onwards, 4096 Bit rsa keys are supported and should be used according to the paradigm "use longest supported key".
| |
| * Also, do not forget to disable telnet vty access.
| |
| | |
| ==== References ====
| |
| [https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html Cisco SSH]
| |
| | |
| {| class="wikitable sortable options"
| |
| |-
| |
| ||
| |
| || This guide is a basic SSH reference for all routers and switches. Pleaes refer to the specific documentation of the device and IOS version that you are configuring.
| |
| |-
| |
| |}
| |
| | |
| ==== How to test ====
| |
| Connect a client with verbose logging enabled to the SSH server
| |
| $ ssh -vvv switch.example.net
| |
| and observe the key exchange in the output.
| |
| | |
| | |
| [[Kategorie:Kryptografie:Best Practice]]
| |
| [[Kategorie:SSH]] | | [[Kategorie:SSH]] |
|
| |
| == Configuration ==
| |
| Different versions of OpenSSH support different options which are not always compatible.
| |
| * This guide shows settings for the most commonly deployed OpenSSH versions at Mozilla - however, using the latest version of OpenSSH is recommended.
| |
|
| |
| ==== Modern (OpenSSH 6.7+) ====
| |
| ; /etc/ssh/sshd_config
| |
| # Supported HostKey algorithms by order of preference.
| |
| HostKey /etc/ssh/ssh_host_ed25519_key
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| HostKey /etc/ssh/ssh_host_ecdsa_key
| |
|
| |
| KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
| |
|
| |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
| |
|
| |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
| |
|
| |
| # Password based logins are disabled - only public key based logins are allowed.
| |
| AuthenticationMethods publickey
| |
|
| |
| # LogLevel VERBOSE logs user's key fingerprint on login.
| |
| * Needed to have a clear audit track of which key was using to log in.
| |
| LogLevel VERBOSE
| |
|
| |
| # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
| |
| Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
| |
|
| |
| # Root login is not allowed for auditing reasons.
| |
| * This is because it's difficult to track which process belongs to which root user:
| |
| #
| |
| # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
| |
| # Additionally, only tools such as systemd and auditd record the process session id.
| |
| # On other OSes, the user session id is not necessarily recorded at all kernel-side.
| |
| # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
| |
| PermitRootLogin No
| |
|
| |
| # Use kernel sandbox mechanisms where possible in unprivileged processes
| |
| # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
| |
| UsePrivilegeSeparation sandbox
| |
|
| |
| ; /etc/ssh/moduli
| |
| All Diffie-Hellman moduli in use should be at least 3072-bit-long (they are used for <tt>diffie-hellman-group-exchange-sha256</tt>) as per our [https://wiki.mozilla.org/Security/Guidelines/Key_Management Security/Guidelines/Key_Management] recommendations.
| |
| * See also <tt>man moduli</tt>.
| |
|
| |
| To deactivate short moduli in two commands: <tt>awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli</tt>
| |
|
| |
| ==== Intermediate (OpenSSH 5.3) ====
| |
| This is mainly for use by RHEL6, CentOS6, etc.
| |
| * which run older versions of OpenSSH.
| |
|
| |
| File: <tt>/etc/ssh/sshd_config</tt>
| |
|
| |
| # Supported HostKey algorithms by order of preference.
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| HostKey /etc/ssh/ssh_host_ecdsa_key
| |
|
| |
| KexAlgorithms diffie-hellman-group-exchange-sha256
| |
| MACs hmac-sha2-512,hmac-sha2-256
| |
| Ciphers aes256-ctr,aes192-ctr,aes128-ctr
| |
|
| |
| # Password based logins are disabled - only public key based logins are allowed.
| |
| RequiredAuthentications2 publickey
| |
|
| |
| # RequiredAuthentications2 not work on official OpenSSH 5.3 portable.
| |
| # In this is your case, use this instead:
| |
| #PubkeyAuthentication yes
| |
| #PasswordAuthentication no
| |
|
| |
| # LogLevel VERBOSE logs user's key fingerprint on login.
| |
| * Needed to have a clear audit track of which key was using to log in.
| |
| LogLevel VERBOSE
| |
|
| |
| # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
| |
| Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
| |
|
| |
| # Root login is not allowed for auditing reasons.
| |
| * This is because it's difficult to track which process belongs to which root user:
| |
| #
| |
| # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
| |
| # Additionally, only tools such as systemd and auditd record the process session id.
| |
| # On other OSes, the user session id is not necessarily recorded at all kernel-side.
| |
| # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
| |
| PermitRootLogin No
| |
|
| |
| File: <tt>/etc/ssh/moduli</tt>
| |
|
| |
| All Diffie-Hellman moduli in use should be at least 2048-bit-long.
| |
| * From the structure of <tt>moduli</tt> files, this means the fifth field of all lines in this file should be greater than or equal to 2047.
| |
|
| |
| To deactivate weak moduli in two commands: <tt>awk '$5 >= 2047' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli</tt>
| |
|
| |
| ==== Multi-Factor Authentication (OpenSSH 6.3+) ====
| |
| Recent versions of OpenSSH support MFA (Multi-Factor Authentication).
| |
| * Using MFA is recommended where possible.
| |
|
| |
| It requires additional setup, such as using the [http://www.nongnu.org/oath-toolkit/ OATH Toolkit] or [https://www.duosecurity.com/ DuoSecurity].
| |
|
| |
| {|| class="wikitable sortable"
| |
| |-
| |
| || <span >'''ATTENTION</span> '''
| |
| |-
| |
| || In order to allow using one time passwords (OTPs) and any other text input, Keyboard-interactive is enabled in OpenSSH.
| |
| * This ''MAY'' allow for password authentication to work.
| |
| * It is therefore very important to check your PAM configuration so that PAM disallow password authentication for OpenSSH.
| |
|
| |
| |-
| |
| |}
| |
|
| |
| ===== OpenSSH 6.3+ (default) =====
| |
| File: <tt>/etc/ssh/sshd_config</tt>
| |
|
| |
| # IMPORTANT: you will have to ensure OpenSSH cannot authenticate with passwords with PAM in /etc/pam.d/sshd
| |
| # "PasswordAuthentication no" is not sufficient!
| |
| PubkeyAuthentication yes
| |
| PasswordAuthentication no
| |
| AuthenticationMethods publickey,keyboard-interactive:pam
| |
| KbdInteractiveAuthentication yes
| |
| UsePAM yes
| |
| # Ensure /bin/login is not used so that it cannot bypass PAM settings for sshd.
| |
| UseLogin no
| |
|
| |
| ===== OpenSSH 5.3+ w/ RedHat/CentOS patch (old) =====
| |
| File: <tt>/etc/ssh/sshd_config</tt>
| |
|
| |
| # Allow keyboard-interactive.
| |
| # IMPORTANT: you will have to ensure OpenSSH cannot authenticate with passwords with PAM in /etc/pam.d/sshd
| |
| # "PasswordAuthentication no" is not sufficient!
| |
| RequiredAuthentications2 publickey,keyboard-interactive:skey
| |
| PasswordAuthentication no
| |
| ChallengeResponseAuthentication yes
| |
| UsePAM yes
| |
| # Ensure /bin/login is not used so that it cannot bypass PAM settings for sshd.
| |
| UseLogin no
| |
|
| |
| PAM configuration for use with the [https://www.nongnu.org/oath-toolkit/ OATH Toolkit] or [https://www.duosecurity.com/ DuoSecurity] as second authentication factor.
| |
|
| |
| File: <tt>/etc/pam.d/sshd</tt>
| |
|
| |
| #%PAM-1.0
| |
| auth required pam_sepermit.so
| |
|
| |
| # WARNING: make sure any password authentication module is disabled.
| |
| # Example: pam_unix.so, or "password-auth", "system-auth", etc.
| |
| #auth include password-auth
| |
|
| |
| # Options to enable when using OATH toolkit
| |
| #auth requisite pam_oath.so usersfile=/etc/users.oath digits=6 window=20
| |
|
| |
| # Options to enable when using DuoSecurity
| |
| #auth sufficient /lib64/security/pam_duo.so
| |
|
| |
| account required pam_nologin.so
| |
|
| |
| === Ciphers and algorithms choice ===
| |
| * When CHACHA20 (OpenSSH 6.5+) is not available, AES-GCM (OpenSSH 6.1+) and any other algorithm using EtM (Encrypt then MAC) [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html disclose the packet length] - giving some information to the attacker.
| |
| * Only recent OpenSSH servers and client support CHACHA20.
| |
|
| |
| * NIST curves (<tt>ecdh-sha2-nistp512,ecdh-sha2-nistp384,ecdh-sha2-nistp256</tt>) are listed for compatibility, but the use of <tt>curve25519</tt> is [https://safecurves.cr.yp.to/ generally preferred].
| |
|
| |
| * SSH protocol 2 supports [https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange DH] and [https://en.wikipedia.org/wiki/Elliptic_curve_Diffie–Hellman ECDH] key-exchange as well as [https://en.wikipedia.org/wiki/Forward_secrecy forward secrecy].
| |
| * Regarding group sizes, please refer to [https://wiki.mozilla.org/Security/Guidelines/Key_Management Security/Guidelines/Key_Management].
| |
|
| |
| The various algorithms supported by a particular OpenSSH version can be listed with the following commands:
| |
| $ ssh -Q cipher
| |
| $ ssh -Q cipher-auth
| |
| $ ssh -Q mac
| |
| $ ssh -Q kex
| |
| $ ssh -Q key
| |
|
| |
| == Reference documents ==
| |
| * [https://wiki.mozilla.org/Security/Key_Management Key Management]
| |
| * [https://wiki.mozilla.org/Security/Server_Side_TLS Server Side TLS]
| |
| * [https://www.ietf.org/rfc/rfc4418.txt RFC4418 (umac)]
| |
| * [http://www.openssh.com/txt/draft-miller-secsh-umac-01.txt umac draft]
| |
| * [https://safecurves.cr.yp.to/ Safe curves]
| |
| * [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html DJM blog]
| |
| * [https://stribika.github.io/2015/01/04/secure-secure-shell.html Stribika blog]
| |
| * [http://2013.diac.cr.yp.to/slides/gueron.pdf AES-GCM performance study]
| |
| * [https://security.googleblog.com/2014/04/speeding-up-and-strengthening-https.html CHACHA20 vs AES-GCM performance study]
| |
| * [http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.9&content-type=text/plain PROTOCOL.certkeys]
| |
| * [https://wiki.gnupg.org/rfc4880bis rfc44880bis from GnuPG]
| |
| * [https://weakdh.org/ Weak Diffie-Hellman and the Logjam Attack]
| |
| * [https://jbeekman.nl/blog/2015/05/ssh-logjam/ On OpenSSH and Logjam, by Jethro Beekman]
| |